Regardless of whether the server was set up with self-signed or CA-signed certificates, the steps to replace the server certificate are nearly identical.
This task makes the following assumptions:
- You are replacing the self-signed server certificate.
- The certificate alias is server-cert.
- The private key is stored in keystore.
- The trusted certificates are stored in truststore.
- The keystore and truststore use the
JKS keystore format.
If a PKCS#12 keystore format was used for the keystore and truststore files during setup, change the --keystore-type argument in the manage-certificate commands to PKCS12 in the relevant steps.
While the certificate is being replaced, existing secure connections continue to work. If the server is restarted, or if a topology change requires a reset of peer connections, the server continues authenticating with its peers, all of whom trust the new certificate.
To replace the server certificate with no downtime, complete the following tasks: